rule BlackBasta_Ransomware {
    meta:
        description = "Detects Black Basta ransomware"
        author = "Security Research"
    strings:
        $s1 = "aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd" ascii
        $s2 = "readme.txt" ascii
        $s3 = "company id for log in" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}